Archives

Categories

Meta

Does PPEE puppy 1.04 have a Trojan inside?

Two days ago I noticed that a zip file named as PPEE puppy, is submitted to virustotal and is identified as a variant of Trojan by five AVs. The file name was in the form of files downloaded from woodmann.org tool library.

Based on the virustotal report, it was the main exe (PPEE.exe) which was infected.

So I compared the SHA256 hashes of the zip file submitted to virustotal and the zip file which I uploaded to the woodmann library. Amazingly, they had the same hash! It really scared me!

I guessed that probably my computer was infected by a trojan before I compile the code. Hence I installed Avira free AV on a fresh system and compiled the code from scratch. But at the time of building project, Avira prevented the creation of PPEE.exe in release mode. I concluded that it’s a false positive. After several times reviewing code I found the line that caused those AVs to mark PPEE.exe as a trojan.

#pragma comment(linker, "/merge:.rdata=.text")

Yes, merging sections and silly AVs! Such AVs could misdirect people who trust on them.

It’s obvious that to keep binary files as small as possible, I’ve packed them using upx which is very prevalent among developers but it seems that some AVs have never heard of it! That’s why the TheHacker false positively marks PPEE.exe as a Posible_Worm32.

After all, I repackaged the PPEE(puppy) 1.04.zip with new build of PPEE.exe which is now downloadable from mzrst.com . Feel free to use it and report the bugs 😉